Hi,

I want to block DNS requests for "isc.org" domain, which are being abused for a DDoS attack. I've created a filter rule:

/ip firewall filter
add action=drop chain=forward content="isc\03org" disabled=no dst-port=\
53 protocol=udp

But it does not work. If I create a similar rule without the \03org, it efectively blocks anything in the form "*isc*".

What is the sintaxt for the text matching in filter rules? Does it accept wildcards/regex in any way? DNS queries separate domain segments with ETX (0x03)

In the wiki I can only find:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

content (string; Default: ) Match packets that contain specified text

Regards

A smart guy here at the office did a fuzzy and dirty trick that just works:

echo -e '\003' > tmpfile
he the did cut&paste from that file to the web browser (opera).

The filter rule now shows:

0 chain=forward action=drop protocol=udp dst-port=53 content=\03isc\03org

where the "\03" show in blue (if I enter it manually from ssh console or other browser, it shows in regular grey).

While this solves our problem now, I would rather know how to enter this kind of characters in a filter rule in a cleaner way.

Regards

You should assign the rule to your input chain, not on the forward chain

try 'export' instead of 'print' command

UPD: works fine for me, "\03" is in blue when doing 'print'